xref: /aosp_15_r20/external/googleapis/google/api/auth.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.api;
18
19option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
20option java_multiple_files = true;
21option java_outer_classname = "AuthProto";
22option java_package = "com.google.api";
23option objc_class_prefix = "GAPI";
24
25// `Authentication` defines the authentication configuration for API methods
26// provided by an API service.
27//
28// Example:
29//
30//     name: calendar.googleapis.com
31//     authentication:
32//       providers:
33//       - id: google_calendar_auth
34//         jwks_uri: https://www.googleapis.com/oauth2/v1/certs
35//         issuer: https://securetoken.google.com
36//       rules:
37//       - selector: "*"
38//         requirements:
39//           provider_id: google_calendar_auth
40//       - selector: google.calendar.Delegate
41//         oauth:
42//           canonical_scopes: https://www.googleapis.com/auth/calendar.read
43message Authentication {
44  // A list of authentication rules that apply to individual API methods.
45  //
46  // **NOTE:** All service configuration rules follow "last one wins" order.
47  repeated AuthenticationRule rules = 3;
48
49  // Defines a set of authentication providers that a service supports.
50  repeated AuthProvider providers = 4;
51}
52
53// Authentication rules for the service.
54//
55// By default, if a method has any authentication requirements, every request
56// must include a valid credential matching one of the requirements.
57// It's an error to include more than one kind of credential in a single
58// request.
59//
60// If a method doesn't have any auth requirements, request credentials will be
61// ignored.
62message AuthenticationRule {
63  // Selects the methods to which this rule applies.
64  //
65  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
66  // details.
67  string selector = 1;
68
69  // The requirements for OAuth credentials.
70  OAuthRequirements oauth = 2;
71
72  // If true, the service accepts API keys without any other credential.
73  // This flag only applies to HTTP and gRPC requests.
74  bool allow_without_credential = 5;
75
76  // Requirements for additional authentication providers.
77  repeated AuthRequirement requirements = 7;
78}
79
80// Specifies a location to extract JWT from an API request.
81message JwtLocation {
82  oneof in {
83    // Specifies HTTP header name to extract JWT token.
84    string header = 1;
85
86    // Specifies URL query parameter name to extract JWT token.
87    string query = 2;
88
89    // Specifies cookie name to extract JWT token.
90    string cookie = 4;
91  }
92
93  // The value prefix. The value format is "value_prefix{token}"
94  // Only applies to "in" header type. Must be empty for "in" query type.
95  // If not empty, the header value has to match (case sensitive) this prefix.
96  // If not matched, JWT will not be extracted. If matched, JWT will be
97  // extracted after the prefix is removed.
98  //
99  // For example, for "Authorization: Bearer {JWT}",
100  // value_prefix="Bearer " with a space at the end.
101  string value_prefix = 3;
102}
103
104// Configuration for an authentication provider, including support for
105// [JSON Web Token
106// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
107message AuthProvider {
108  // The unique identifier of the auth provider. It will be referred to by
109  // `AuthRequirement.provider_id`.
110  //
111  // Example: "bookstore_auth".
112  string id = 1;
113
114  // Identifies the principal that issued the JWT. See
115  // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
116  // Usually a URL or an email address.
117  //
118  // Example: https://securetoken.google.com
119  // Example: [email protected]
120  string issuer = 2;
121
122  // URL of the provider's public key set to validate signature of the JWT. See
123  // [OpenID
124  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
125  // Optional if the key set document:
126  //  - can be retrieved from
127  //    [OpenID
128  //    Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
129  //    of the issuer.
130  //  - can be inferred from the email domain of the issuer (e.g. a Google
131  //  service account).
132  //
133  // Example: https://www.googleapis.com/oauth2/v1/certs
134  string jwks_uri = 3;
135
136  // The list of JWT
137  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
138  // that are allowed to access. A JWT containing any of these audiences will
139  // be accepted. When this setting is absent, JWTs with audiences:
140  //   - "https://[service.name]/[google.protobuf.Api.name]"
141  //   - "https://[service.name]/"
142  // will be accepted.
143  // For example, if no audiences are in the setting, LibraryService API will
144  // accept JWTs with the following audiences:
145  //   -
146  //   https://library-example.googleapis.com/google.example.library.v1.LibraryService
147  //   - https://library-example.googleapis.com/
148  //
149  // Example:
150  //
151  //     audiences: bookstore_android.apps.googleusercontent.com,
152  //                bookstore_web.apps.googleusercontent.com
153  string audiences = 4;
154
155  // Redirect URL if JWT token is required but not present or is expired.
156  // Implement authorizationUrl of securityDefinitions in OpenAPI spec.
157  string authorization_url = 5;
158
159  // Defines the locations to extract the JWT.  For now it is only used by the
160  // Cloud Endpoints to store the OpenAPI extension [x-google-jwt-locations]
161  // (https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations)
162  //
163  // JWT locations can be one of HTTP headers, URL query parameters or
164  // cookies. The rule is that the first match wins.
165  //
166  // If not specified,  default to use following 3 locations:
167  //    1) Authorization: Bearer
168  //    2) x-goog-iap-jwt-assertion
169  //    3) access_token query parameter
170  //
171  // Default locations can be specified as followings:
172  //    jwt_locations:
173  //    - header: Authorization
174  //      value_prefix: "Bearer "
175  //    - header: x-goog-iap-jwt-assertion
176  //    - query: access_token
177  repeated JwtLocation jwt_locations = 6;
178}
179
180// OAuth scopes are a way to define data and permissions on data. For example,
181// there are scopes defined for "Read-only access to Google Calendar" and
182// "Access to Cloud Platform". Users can consent to a scope for an application,
183// giving it permission to access that data on their behalf.
184//
185// OAuth scope specifications should be fairly coarse grained; a user will need
186// to see and understand the text description of what your scope means.
187//
188// In most cases: use one or at most two OAuth scopes for an entire family of
189// products. If your product has multiple APIs, you should probably be sharing
190// the OAuth scope across all of those APIs.
191//
192// When you need finer grained OAuth consent screens: talk with your product
193// management about how developers will use them in practice.
194//
195// Please note that even though each of the canonical scopes is enough for a
196// request to be accepted and passed to the backend, a request can still fail
197// due to the backend requiring additional scopes or permissions.
198message OAuthRequirements {
199  // The list of publicly documented OAuth scopes that are allowed access. An
200  // OAuth token containing any of these scopes will be accepted.
201  //
202  // Example:
203  //
204  //      canonical_scopes: https://www.googleapis.com/auth/calendar,
205  //                        https://www.googleapis.com/auth/calendar.read
206  string canonical_scopes = 1;
207}
208
209// User-defined authentication requirements, including support for
210// [JSON Web Token
211// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
212message AuthRequirement {
213  // [id][google.api.AuthProvider.id] from authentication provider.
214  //
215  // Example:
216  //
217  //     provider_id: bookstore_auth
218  string provider_id = 1;
219
220  // NOTE: This will be deprecated soon, once AuthProvider.audiences is
221  // implemented and accepted in all the runtime components.
222  //
223  // The list of JWT
224  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
225  // that are allowed to access. A JWT containing any of these audiences will
226  // be accepted. When this setting is absent, only JWTs with audience
227  // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]"
228  // will be accepted. For example, if no audiences are in the setting,
229  // LibraryService API will only accept JWTs with the following audience
230  // "https://library-example.googleapis.com/google.example.library.v1.LibraryService".
231  //
232  // Example:
233  //
234  //     audiences: bookstore_android.apps.googleusercontent.com,
235  //                bookstore_web.apps.googleusercontent.com
236  string audiences = 2;
237}
238